CVE-2026-10823 Overview
CVE-2026-10823 is a broken access control vulnerability in the YMC Filter WordPress plugin before version 3.11.3. The plugin exposes a REST API endpoint that does not properly authorize access and fails to validate a user-supplied query parameter. Unauthenticated attackers can send crafted requests to retrieve titles and content of private, draft, and other non-public posts. The flaw affects confidentiality only, with no direct impact on integrity or availability. Site owners using the plugin for content filtering on WordPress sites are exposed to disclosure of unpublished editorial content, internal notes, and other restricted material stored as posts.
Critical Impact
Unauthenticated remote attackers can read private, draft, and other non-public WordPress post content through an unauthorized REST API endpoint.
Affected Products
- YMC Filter WordPress plugin versions prior to 3.11.3
- WordPress installations exposing the plugin's REST API endpoints
- Sites relying on WordPress post visibility (private, draft, pending) for confidentiality
Discovery Timeline
- 2026-06-26 - CVE-2026-10823 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2026-10823
Vulnerability Analysis
The vulnerability is a broken access control issue in one of the plugin's REST API endpoints. The endpoint performs no authorization check to confirm the caller is entitled to read non-public posts. It also fails to validate a user-supplied query parameter that controls which posts are returned. An attacker can manipulate this parameter to request posts with visibility states such as private, draft, pending, or future. WordPress ordinarily restricts such content to authenticated users with appropriate capabilities like read_private_posts or edit_posts. The plugin bypasses these checks by returning post titles and content directly from its endpoint response.
Root Cause
The root cause is a combination of two defects. First, the affected REST route lacks a permission_callback that verifies user capability, or the callback returns true unconditionally. Second, the endpoint accepts a query parameter that selects post status without sanitizing or restricting it to public statuses. Together these gaps allow anonymous requests to enumerate protected content.
Attack Vector
The attack vector is remote and requires no authentication or user interaction. An attacker sends an HTTP GET request to the vulnerable REST endpoint with a manipulated status parameter. The endpoint responds with a JSON payload containing titles and body content of matching non-public posts. No special tooling is required beyond a standard HTTP client. Exploitation leaves standard web server access log entries but no application-level authentication traces.
The vulnerability is described in prose as no verified proof-of-concept code has been published. Refer to the WPScan Vulnerability Report for additional technical detail.
Detection Methods for CVE-2026-10823
Indicators of Compromise
- Unauthenticated HTTP requests to /wp-json/ routes registered by the YMC Filter plugin, particularly those including a post status query parameter
- Access log entries returning HTTP 200 with large JSON payloads to REST endpoints from clients that never authenticated
- Requests containing parameter values such as status=private, status=draft, or status=pending
Detection Strategies
- Inventory WordPress installations and identify sites running YMC Filter below version 3.11.3
- Review web server and WordPress access logs for anonymous calls to the plugin's REST routes returning non-public post data
- Deploy a web application firewall rule that blocks unauthenticated REST requests referencing non-public post statuses
Monitoring Recommendations
- Alert on spikes of anonymous traffic to /wp-json/ endpoints exposed by the plugin
- Monitor outbound response sizes from REST routes to detect bulk content extraction
- Correlate REST endpoint access with subsequent appearance of internal content on external sites or paste services
How to Mitigate CVE-2026-10823
Immediate Actions Required
- Update the YMC Filter plugin to version 3.11.3 or later on all WordPress sites
- Audit private, draft, and pending posts for sensitive content that may have been exposed
- Rotate or redact any credentials, tokens, or non-public information stored inside affected posts
Patch Information
The vendor has released version 3.11.3 of the YMC Filter WordPress plugin, which enforces proper authorization on the affected REST API endpoint and validates the post status query parameter. Administrators should apply the update through the WordPress plugin manager or by deploying the fixed release from the official plugin repository. Verify the installed version after update by reviewing the plugin metadata in wp-admin/plugins.php.
Workarounds
- Disable or remove the YMC Filter plugin until the patched version can be deployed
- Restrict access to /wp-json/ REST routes at the reverse proxy or WAF layer for unauthenticated clients
- Move sensitive content out of WordPress draft or private posts until remediation is confirmed
# Example WP-CLI command to update the plugin to the fixed version
wp plugin update ymc-filter --version=3.11.3
wp plugin get ymc-filter --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

